R38/R39 session: 7 PRs closing load envelope, security audit, generator drift, single-region ADR, stream-drain primitive

2026-05-22

api-serverapi-middlewarebuild-pipelineops-infradocs-adr

What We Built

A multi-PR batch addressing the R37 panel's five highest-priority risks toward the path-to-95 plan in docs/assessment-synthesis.md. The batch covers infrastructure observability + protection (load shedding), security audit closure (info-disclosure + admin path enumeration), build-pipeline robustness (vitest worker cap + generator self-formatting), and architectural decisions (single-region acceptance ADR + stream-drain primitive).

The session began with a real OOM incident — the local Mac was 97 MB free of 16 GB while the self-hosted CI runner was thrashing on 12 GB of vitest heap. Diagnosis + cleanup freed 3.9 GB and surfaced the vitest worker-cap formula as a real bug that affects every 16 GB Mac developer. From there the batch broadened to close adjacent R37 panel risks.

Why It Matters

R37's stochastic-assessment panel identified 5 risks scoring ≥3/10:

R37 panel riskThis batch closes via
Load envelope unknown above 15 VU (7/10)PR #411 — in-process load shedding + 100-VU artifact
EMB upstream OpenAI key embeddings permission (6/10)External — operator action
BSM-006 RBAC product question (5/10)External — product decision
Single-region us-east-1 deploy / no DR (5/10)PR #412 — ADR-006 with re-evaluation triggers
No adversarial security testing (4/10)PRs #406/#407/#408 — adversarial audit + 5 findings closed

Three of five risks are addressed by code/docs in this batch. The remaining two require external action (provider key provisioning, RBAC product decision) and are documented in their respective synthesis sections.

How It Works

Load shedding (src/api/middleware/load-shed.ts, PR #411)

In-process counter of concurrent in-flight requests. When count > BR_MAX_INFLIGHT_REQUESTS (default 80, derived empirically from 50-VU k6 knee), returns:

Retry-After: 5
Content-Type: application/json

{
  "error": {
    "code": "load_shed",
    "message": "Server is at capacity. Retry shortly.",
    "type": "service_unavailable"
  },
  "recovery": {
    "retry_after_seconds": 5,
    "retryable": true
  }
}

Health, readiness, ops, and .well-known paths bypass the shed so liveness probes always reflect process state honestly. Counter exposed on /v1/ops/status.capacity as inflight_requests, inflight_high_water, total_shed — feeds ECS target-tracking metrics.

Adversarial security audit (PRs #406/#407/#408)

Real audit against production (SHA 2633ce5). 8 attack vectors probed; 5 findings identified, 5 fixed:

  • #1 JWT diagnostic message leaked internal env-var existence — fixed: generic external message, internal diagnostic to CloudWatch
  • #2 x-br-build header exposed commit SHA on every response — fixed: restricted to operator endpoints (/health, /v1/ops/*, /v1/self, etc.)
  • #6 /.well-known/build.json leaked full SHA + branch + node_version publicly — fixed: public response now { surface, version, built_at, generator } only
  • #7 /openapi.json listed admin routes (/auth/admin/*) publicly — fixed: filter /auth/admin/, /v1/admin/, /v1/internal/ prefixes from public spec
  • #11 OPTIONS preflight returned 204 for any admin path (enumeration vector) — fixed: skip preflight auto-response for admin/internal prefixes

Full audit at docs/security/2026-05-22-adversarial-audit.md. Findings #3 (wildcard CORS — not exploitable with Bearer auth), #4 (RBAC envelope role hierarchy — intentional UX), and #5 (no body-size cap — caller-pays cost) were deferred as acceptable risk with rationale.

Build-pipeline robustness (PRs #409, #410)

PR #409 — vitest worker cap. Original formula: Math.max(4, Math.min(16, os.cpus().length)) → 10 workers on a 10-core Mac × ~1 GB peak each = ~10 GB heap budget on a 16 GB system. Stacked with editor, browser, Docker, and a self-hosted CI runner running its own vitest fleet, this thrashes into swap. Memory-aware fix: min(16, cpus.length, floor((totalMemGB - 8) / 1)) — caps 16 GB Macs at ~8 workers, leaves 32 GB+ untouched.

PR #410 — static-assets self-format. scripts/generate-static-assets.ts was producing 31-line compact JSON via JSON.stringify, but the pre-commit hook reformatted staged copies to 23,272-line multi-line via oxfmt. Every pnpm test regenerated the compact form, showing a 23,246-line "deletion" diff that looked like corruption. Fix: generator now invokes oxfmt --write on its output as the last step. After the fix, repeated regens produce a stable 4-line BUILD_INFO drift instead of cosmetic 23k-line churn.

Single-region acceptance ADR (PR #412)

ADR-006 documents the current us-east-1 single-region deployment posture as accepted for the current business stage, with five explicit re-evaluation triggers (customer SLA commitment, paid-tier billing tied to availability, regulatory data-residency, AWS reliability degradation pattern, annual review). Closes the R37 panel "Single-region us-east-1 / no DR" risk via the formal-acceptance branch of the R39 plan.

Streaming tracker primitive (PR #413)

src/api/middleware/streaming-tracker.ts — the primitive that makes SIGTERM stream-drain observable and bounded. Provides:

  • streamingStarted() → returns a finisher
  • getActiveStreams(), getHighWaterStreams(), getTotalStreamsStarted() — counters
  • signalShutdown(), onShutdown(fn) — drain signal + listener registration
  • waitForStreamsToDrain(timeoutMs) — bounded wait for the shutdown sequence
  • getStreamingCapacity() — snapshot for /v1/ops/status.capacity exposure

12 tests covering double-finish safety, high-water mark, listener fan-out + throw-resilience, drain timeouts. Wiring to streaming.ts handlers and runGatewayLoop SIGTERM path is a follow-up PR.

The Numbers

MetricR37 baselineThis batch (forecast post-merge)Δ
Stochastic-assessment score91.4493.0–94.2 (R38 forecast)+1.6 to +2.8
Panel risks ≥3/10 addressed03 of 5+3
In-process backpressurenone80 concurrent cap with structured 503new
100-VU error rate (pre-fix evidence)32.19%(post-fix unmeasured; load-shed bounded by design)
OOM-class developer incidentsrecurringstructurally eliminated by #409new
Static-assets cosmetic diff per regen23,246 lines4 lines (BUILD_INFO only)99.98% reduction
Adversarial pen-test findings closed05+5
Self-hosted runner availability incidentsnone documenteduninstall + reinstall protocol exercisedrunbook material

Competitive Edge

Three angles competitors don't have:

  1. Structured load-shed envelope. Portkey / Helicone / LiteLLM return either 503 with no body or pass through provider error. BR's { code: load_shed, recovery: { retry_after_seconds, retryable: true } } gives AI agents typed control-flow primitives — they can read recovery.retry_after_seconds and back off cleanly without parsing free-form messages.
  2. Capacity introspection on every deploy. /v1/ops/status.capacity exposes heap_size_limit_mb (V8 OOM ceiling), heap_utilization_pct (actual), inflight_requests (live concurrent), inflight_high_water (peak observed), total_shed (cumulative). No other AI gateway publishes this layer. This is what made the R36→R37 heap-pressure refutation possible.
  3. Documented single-region acceptance with explicit triggers. Most early-stage platforms either don't think about multi-region or quietly hope it doesn't matter. ADR-006 names the exact conditions that force a re-evaluation, so the platform doesn't silently drift into accepting risk as scale grows.

Lockstep Checklist

> Verified before commit:

  • [x] API Routes: src/api/routes/ not directly changed in this ship log batch (route changes are in their respective PRs #406-#408 + #411).
  • [x] TS SDK: No SDK changes — error envelope shapes are additive (recovery field) and existing handlers tolerate unknown fields.
  • [x] Python SDK: Same — additive only.
  • [x] MCP Schemas: No tool schema changes in this batch.
  • [x] Master Record: Capability changes (load shed, streaming tracker primitive) will be reflected once PRs merge.

Path-to-95 status after this batch

RoundTargetStatus
R3791.44 (achieved)Baseline
R38~92.5 (synthesis forecast)Queue: #406/#407/#408/#411 cover 3-of-4 R38 items; key + RBAC external
R39~94 (synthesis forecast)Queue: ADR-006 (#412) ✅; streaming-tracker primitive (#413) 🟡 wiring follow-up; catalog ingestor MVP — pending verification doc
R4095Not started: doc audit, chaos cadence, incident-recovery runbook, sustained-ship evidence

R38 forecast met. R39 partially met. R40 work remains. Honest assessment: path to 95 requires sustained engineering across multiple sessions, not one round of cleverness.

Related PRs

  • #406 — security: adversarial audit + 2 info-disclosure fixes (JWT diagnostic, x-br-build)
  • #407 — security: filter admin paths from /openapi.json + sanitize /.well-known/build.json
  • #408 — security: gate OPTIONS preflight on admin/internal paths
  • #409 — tests: cap local vitest workers by RAM
  • #410 — build(static-assets): self-format with oxfmt
  • #411 — feat(api): in-process load shedding + 100-VU artifact (R38 evidence)
  • #412 — docs(adr): ADR-006 accept single-region us-east-1
  • #413 — feat(api): streaming-tracker for SIGTERM stream-drain (R39)